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We investigate the connection between the optimal collective eavesdropping attack and the opti- 
mal cloning attack where the eavesdropper employs an optimal doner to attack the quantum key 
distribution (QKD) protocol. The analysis is done in the context of the security proof in Refs. [HE] 
for discrete variable protocols in d-dimensional Hilbert spaces. We consider a scenario in which 
the protocols and doners are equipped with symmetries. These symmetries are used to define a 
quantum cloning scenario. We find that, in general, it does not hold that the optimal attack is an 
optimal doner. However, there are classes of protocols, where we can identify an optimal attack by 
an optimal doner. We analyze protocols with 2, d and d + 1 mutually unbiased bases where d is 
a prime, and show that for the protocols with 2 and d + 1 MUBs the optimal attack is an optimal 
doner, but for the protocols with d MUBs, it is not Q Finally, we give criteria to identify protocols 
which have different signal states, but the same optimal attack. Using these criteria, we present 
qubit protocols which have the same optimal attack as the BB84 protocol or the 6-state protocol. 



I. INTRODUCTION 

The objective of quantum key distribution (QKD) is to 
establish a secret key between two legitimate parties (Al- 
ice and Bob), that is unknown to an eavesdropper (Eve). 
The secret key can be used later in cryptographic appli- 
cations, for example to facilitate secure communication. 

To start a QKD protocol Alice prepares quantum 
states (signal states) and sends them through a quantum 
channel to Bob, who performs measurements on them. 
These type of protocols are referred to as prepare-and- 
measure protocols and result in quantum mechanically 
correlated classical data being shared between Alice and 
Bob. They can extract a secret key from this data us- 
ing classical communication protocols. For this to suc- 
ceed, Alice and Bob need to be able to upper bound 
the amount of information Eve can gain on the corre- 
lated data. This information comes from an interaction 
of Eve with the signals. For any such attack, there is a 
trade-off between the amount of information that leaks 
to Eve and the amount of disturbance that she causes 
to the signal states. From the observation of this distur- 
bance, Alice and Bob can estimate Eve's information on 
the data and perform suitable communication protocols 
to distill secret keys form their data on which Eve has no 
information. 

In this paper, we deal with the problem of finding the 
optimal interaction between Eve and the signals. Our 
approach to the security analysis is to restrict Eve to 
collective attacks [U [2] in which she interacts with each 
signal separately as the range of the validity of this attack 
can be shown to extend to the most general attack (see 



section III ) . A collective attack is completely determined 
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by a unitary interaction Ue between the signal states and 
some additional ancilla states held by Eve. The optimal 
attack which gives the highest amount of information to 
Eve (by some suitable measure) for a given amount of 
disturbance is denoted by U E pt . 

One specific type of interaction is an optimal quantum 
doner [3J. An optimal doner is a unitary transforma- 
tion £/£ pt that acts on the signal states and some ancilla 
states, with the objective of producing two copies of the 
signal states. The optimal doner has the property that 
the copies emerge with the highest fidelity (with respect 
to the original signal states) allowed by quantum mechan- 
ics. An optimal doner is called symmetric if the fidelities 
of the two copies are the same, and asymmetric if the 
fidelities are different. Consider now the following eaves- 
dropping attack: Eve uses an optimal asymmetric doner 
to copy the signal states sent by Alice, forwards one copy 
to Bob, and keeps the other copy for herself. She choscs 
the optimal doner in such a way that the fidelity of Bob's 
copy is in agreement with Bob's measurement outcomes. 
In [1H5], such cloning attacks were used to model Eve's 
attack, but optimality was only conjectured. Indeed, for 
some protocols (e.g. the BB84 [7] or the 6-state protocol 
[8]), the optimal attack is known to be an optimal doner, 
but in general the relationship between optimal cloning 
and optimal eavesdropping is unknown. 

The goal of the present work is to establish the connec- 
tion between optimal eavesdropping on QKD protocols 
and optimal cloning in the context of the security defi- 
nition in Refs. ^ [5] for protocols with direct, one-way 
reconciliation. We consider protocols with symmetries 
so that, without loss of generality, the optimal attack is 
found in a set with a corresponding symmetry. In this 
scenario, it turns out that a necessary condition for an 
optimal doner to be a candidate for an optimal attack 
is the strong covariance condition [5] . This condition en- 
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sures that the optimal cloner and the optimal attack are 
drawn from the same set, and that the optimal cloner 
uses the same number of ancilla states as the optimal 
eavesdropping attack. If strong covariance does not hold 
for the optimal cloner defined by the signal states of the 
QKD protocol, we can already conclude that the optimal 
attack on the QKD protocol is not an optimal cloner. 

In this paper, we calculate the optimal attack for qubit- 
based protocols (e.g. the BB84 and the 6-state protocol) 
and for protocols in d-dimensional Hilbert spaces using 
mutually unbiased bases (MUBs) (e.g. protocols with 
2 MUBs, d+1 MUBs g] or d MUBs) and compare the 
results to the optimal cloner. The security of these pro- 
tocols has been studied previously in Refs. [U EH El ITOl - 
IT2"] . In Ref. [TJ], in particular, the security was proven 
for protocols with 2 and d + 1 MUBs using the security 
proof methods of Refs. [IJ [2]. 

Additionally, we observe that some groups of QKD 
protocols that share some common symmetry features 
can be proven to have the same optimal attack, despite 
having different sets of signal states. As an example, we 
present qubit protocols which have the same optimal at- 
tack as the BB84 protocol or the 6-state protocol, and we 
give criteria to identify protocols with the same optimal 
attack. 

This paper is organized as follows. In section [TT] we 
describe prepare-and-measure protocols using a thought 
set-up that includes entangled states and is referred to as 
the source-replacement scheme. In section [lTl| we summa- 
rize the security proofs given in Refs. [TJ [2]. In section 
|IV[ we provide two theorems about the convexity and 
concavity properties, as well as a lemma about the in- 
variance property of the classical mutual information and 
the Holevo quantity. In section |V] we describe protocols 
with a symmetry in the signal states. Under the assump- 
tion that Alice and Bob use only averaged measurement 
quantities, and that the classical post processing respects 
certain symmetry properties, we show that the symme- 
tries of the signal states can be transfered to Eve's inter- 
action. This holds true in particular for the class of pro- 
tocols where the signal states are composed of complete 
sets of basis states, and where Alice and Bob discard data 
where they disagree on the basis after the measurement. 
The formalism of quantum doners is summarized in sec- 
tion VI along the lines of Ref. [5]. The main statement 
of section |VII| is that the optimal doner must be strong 
covariant in order to be an optimal attack. However, 
strong covariance alone does not yet uniquely determine 
if the optimal attack is an optimal cloner. We summa- 
rize the features of the class of protocol where the signal 
states are invariant under the generalized Pauli group, 
for which the corresponding cloning attack is known to 
be strong covariant. In section [VIII| we give examples of 
protocols which use the mutually unbiased eigenbases of 
the generalized Pauli operators and analyze the relation 
between the optimal attack and the optimal cloner. In 
section |IX| we provide a theorem for the class of proto- 
cols with complete sets of basis states and basis sifting, 



which allows us to determine when the optimal attacks 
of different protocols in this class are the same. Finally, 
we draw conclusions in section 1X1 



II. SOURCE-REPLACEMENT SCHEME 

A typical QKD protocol consists of a quantum and 
a classical phase. In the quantum phase, Alice chooses 
signal states \<p x ) from a set S with probability p{x) de- 
fined on a d-dimensional Hilbert space. She sends the 
signal states through a quantum channel to Bob, who 
performs measurements on them by means of a positive 
operator valued measures (POVM) = {B y }, result- 
ing in a joint probability distribution p(x,y). This sig- 
nal preparation scheme is typically called prepare-and- 
measure scheme. In the classical phase, Alice and Bob 
perform error correction and privacy amplification, in or- 
der extract a secret key from their measurement data. 

The security proof of a protocol is more conveniently 
described in the source-replacement scheme, which is 
equivalent to the prepare-and-measure scheme. The 
source-replacement scheme is a thought set-up, in which 
Alice creates the bipartite entangled state (source state) 
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in her lab, keeps the first half for herself and sends the 
other half to Bob. The states |x) form an orthonormal 
basis X — {\x),x — 0, |S| — 1} of an |S|-dimensional 
Hilbert space Hx- In order to prepare the state \(p x ) at 
Bob's side, Alice performs a projective measurement in 
the basis X, which triggers the source state to collapse 
onto the conditional state with probability p(x). 

If the signal states are linearly dependent, we can 
rewrite the source state in a more compact form using 
the Schmidt decomposition of pure states. For this pur- 
pose, we define a d-dimensional subsystem Ha of T-Lx, 
and express the source state on the "compressed" space 

n A ®n s 
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In this expression the Schmidt basis B = {\i)s',i = 
0, ...,d — 1} of system S and the Schmidt coefficients 
defined as the eigenbasis and the square 
roots of the eigenvalues of the reduced operator 0s = 
tr x {|$)xs($|}- The Schmidt basis A = {\i) A ]i = 
0, ...,d — 1} of system A can be explicitly given by the 

= Ex VpT* 



orthonormal vectors 
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where 



the otf' = (i\ip x ) are the coefficients of the signal states 
in the Schmidt basis B. In the following, we omit the bar 
in |z) for simplicity. 

Furthermore, Alice's von Neumann measurement in 
the basis X on the larger space Hx is the Naimark ex- 
tension of a measurement = {A x } with respect to 
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rank-one POVM elements A x on the smaller space Ha 
given by 



(3) 



Here we define the density matrix of Alice's reduced state 
as 

PA =tr s {|$) AS ($|}, (4) 

and the states 

i^> = Ei j )(^i i ) = Ei i )K (a;) )*' ( 5 ) 

i i 

where the symbol * denotes the complex conjugate with 
respect to the Schmidt basis A. The operators A x are 
positive, sum up to the identity, and satisfy the property 
t? A {A x ®l\§){$\} = p(x)\ip x )(p x \. 

After Eve's interaction with the signal states, but prior 
to Alice and Bob's measurements, the state held by Al- 
ice and Bob is described by an unknown (mixed) state 
Pab instead of a perfect copy of the source state. Nev- 
ertheless, Alice and Bob have some information about 
Pab due to their measurements. They can constrain the 
form of Pab from the probability distribution of their 
measurement outcomes 
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FIG. 1: In the source-replacement scheme, Alice prepares 
the entangled state |<J>). The system A is kept by Alice, while 
the system S is sent through the quantum channel to Bob. 
Eve attaches ancillas to the signal states and performs a uni- 
tary transformation on the joint system SE, transforming it 
to BE. She resends the system B to Bob. After Eve's interac- 
tion, Alice and Bob no longer share a perfect copy of |$), but 
a bipartite state pab, which is only partially characterized by 
their observations. 



Note that to each pab an entire class of purifications 
I*)ab_e = ~^AB ® WeY$) abe can be constructed, where 
W is local unitary transformation on Eve's system. In 
what follows such local transformations on Eve's system 
are irrelevant. 



p(x, y) = tr{Ar ® By pab} (6) 

in a process called parameter estimation. In addition, 
Alice and Bob know that Alice's reduced density ma- 
trix of pab remains unchanged, as already anticipated 
in equation Q, because the system A never leaves Al- 
ice's lab (see Fig. [I]). However, unless Alice and Bob's 
measurements are sufficient to obtain a tomographically 
complete parametrization of pab, there could be many 
states pab that are compatible with p(x,y) and pa- For 
what follows, it is useful to make the following definition 

Definition 1 The set T contains all bipartite states 
Pab that are compatible with the measurement outcomes 
p(x,y) and that have a given reduced state pA- 

In the source-replacement scheme Eve attaches ancil- 
las (defined on the system E) to the second half of the 
source state |$).as followed by a unitary transformation 
Ue which takes the composite system SE to BE. She 
then keeps the transformed ancillas for herself, and re- 
sends the remaining system B to Bob (see Fig. [TJ). The 
mixed state pab is the result of Eve's interaction with the 
signal states. Eve's unitary transformation Ue is equiv- 
alently characterized by the purification \^)abe of pab 
on the dilated space T-Labe, where the dimension of the 
purifying system E is the same as the dimension of AB. 
In order to guarantee unconditional security of the pro- 
tocol, we must assume that Eve can exploit everything 
allowed by quantum mechanics for her attack, which is 
realized by giving her full control over \^)abe- 



III. KEY RATE 

The security proof presented in Refs. [H0IH] provides 
a bound on the rate at which Alice and Bob can extract 
a secret key. The proof is valid for collective attacks and 
for one-way classical communication. In many cases the 
proof can also be extended to hold for coherent attacks 
and two-way communication [151 116] . 

Given Alice, Bob and Eve share the purification |W) of 
the state Pab- After Alice and Bob measure their sys- 
tems with respect to A x and B y , they share the tripartite 
classical-classical-quantum (ccq) state [T] 

Pxye = J2p(x,y)\x}(x\ x ® \y){y\v®p X E (7) 
x,y 

where \x) and \y) are two sets of orthonormal bases, and 
P X e = tY A B{A x ®B y ®t E \^){^\}/p{x,y) are Eve's quan- 
tum states conditioned on the event that Alice and Bob's 
outcomes were x and y. 

Using error correction and privacy amplification, Alice 
and Bob extract a secret key from the ccq state pxye- A 
typical choice for the error correction is one-way reconcil- 
iation, in which the data of one party is set as a reference 
for the key, and the other party must correct her or his 
noisy data to match the reference. For our purposes, we 
will consider protocols with direct reconciliation, that is, 
Alice's data serves as the reference key and Bob corrects 
his data accordingly. The rate, established in [Tl 121 114j. 
at which an unconditionally secure key against collective 
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attacks can be extracted is given by 

r( PxYE )=I(X :Y)- X (X : E), (8) 

where I(X : Y) = H(X) + H(Y) - H(X,Y) is the clas- 
sical mutual information of Alice and Bob's data, and 
X(X : E) = H{X) + S{E) - S(X, E) is the Holevo quan- 
tity or quantum mutual information between Alice and 
Eve. H and S denote the Shannon entropy and the von 
Neumann entropy, respectively. The Holevo quantity is 
explicitly given by 

X (X:E) = S( Pe )-J2p(x)S(p X e)- (9) 

X 

where p E is Eve's state conditioned on Alice's value x 
and pe = J2 x p{x)Pe ^ s Eve's reduced state. For the 
practical calculation of the Holevo quantity, an explicit 
reference to the system E can be eliminated, because the 
entropies S(pe) and S{p x E ) can be expressed in terms 
of quantities on the systems AB: If the state \^f) is 
pure, then S(pab) — S(p E )- If, furthermore, Alice uses 
rank-one POVM elements, then the conditional states 
Pbe = ^ x a{A x ® 1 beY$) (^1} /p{x) are pure, and there- 
fore S(p%) — S(p B ). In this situation, the Holevo quan- 
tity simplifies to 

X (X:E)=S( Pab )-J2p(x)S(Pb)- (10) 

X 

Usually, the key is not directly extracted from the state 
Pxyei because the data p{x,y) might be only weakly 
correlated. Alice and Bob typically postselect on highly 
correlated data before proceeding with the protocol. For 
example, Alice and Bob might ignore events which they 
measured in different bases - so called basis sifting - or 
they might discard data, where Bob did not record a de- 
tection event. Effectively, the key is extracted from a 
postselected state £( P ab), which has again two classi- 
cal registers XY on Alice and Bob's side and a quantum 
register E on Eve's side, but also additional classical reg- 
isters carrying the information about the communication 
(announcements) between Alice and Bob that arise dur- 
ing the postselection. 

Here we give a short description of the postselection 
that leads to £( P ab)- For a more detailed formalism see 
appendix [XJ Alice and Bob announce some information 
about each signal to the public, that typically does not 
reveal any direct knowledge about the secret key. In the 
case of the sifting process, for example, they announce 
their basis choices. Depending on the announcement, 
the signal is either kept or discarded. Let us denote the 
announcements of the kept signals by u. On the level of 
the quantum state Pab-, the measurement with respect 
to and Mg followed by the announcement and the 
discarding is equivalently described by first a filtering 
operation on pab followed by new measurements. The 
filtering yields transformed states p\ B depending on the 
announcement u. The state held by Alice and Bob before 
the new measurement is then a convex combination of 



states p u AB over the classical subsets u with probability 
p(u) 

P = J2p(u)Pab®H(u\. (11) 

u 

The new measurement is then performed on each p AB 
independently. In order to preserve the probability dis- 
tributions of the measurement outcomes, we identify new 
pairs of POVMs and Mg conditioned on the an- 
nouncement u. By giving to Eve the purification of each 
Pabi we obtain new ccq states Pxye f° r ea ch announce- 
ment u after the measurement with respect to and 
Mg. The effective state £{pab) after the post-selection 
is then described by the convex combination 

£( P ab)=J2p( u )Pxye^\u)(u\. (12) 

u 

If we choose to extract the key from each Pxye inde- 
pendently, the effective key rate is given by 

f{£{ PAB )) =Y,p^y{p u xYE), (13) 

u 

where r is the key rate given in equation ([8]). Other 
choices of key extraction may combine different outcomes 
into one stream, but here we choose to analyze the sim- 
pler case of separate processing. 

By defining the total Holevo quantity and the total 
mutual information by 

X{£ (p AB )) ■■= J2p( u )Xu(X :E), (14) 

U 

I(£( P ab)) ■= 5>K)J„(X : Y), (15) 

u 

where Xu(X ■ E) and I U (X : Y) are the Holevo quantity 
and the mutual information of the state Pxyei we can 
rewrite the effective key rate as 

f(£(p AB )) = I(£( P ab)) - x(£(pab))- (16) 

If Alice and Bob knew Eve's attack strategy, the calcu- 
lation of the key rate would be straightforward. However, 
all Alice and Bob know is that they share a state P ab 
from the set T in Def. [l] Therefore, Eve has the freedom 
to chose any attack, as long as it creates a state pab that 
is compatible with T. Among all these possible attacks, 
the one that generates the lowest key rate 

r m m = hif t(£(pab)) (17) 

is defined as the optimal attack. We call the pure state 
corresponding to the optimal attack |^) opt with the re- 
duced state P°ab- If Alice and Bob want to guarantee 
that their protocol is secure, they must assume that Eve 
performed the optimal attack. Hence, they cannot gen- 
erate a secret key at a rate higher than r m i n for the given 
protocol. 
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IV. PROPERTIES OF THE MUTUAL 
INFORMATION AND THE HOLEVO QUANTITY 

In this section we give three properties of the classical 
mutual information and the Holevo quantity. 

At first, we introduce a new notation for the mutual 
information and the Holevo quantity, that is more conve- 
nient for our purposes throughout the rest of this paper. 
Let Alice and Bob share a quantum state pab , which they 
measure with respect to the POVM M.ab = {A x <E) B y : 
A x E M.a, By 6 Ms}. We always assume that Eve holds 
the purification |\&) of pab- Instead of denoting I(X : Y) 
with the dependence on the registers XY, we denote the 
mutual information by 



This property (22 1 does not hold in general. For exam- 



I( P ab,Mab) :=I(X:Y). 



(18) 



By specifying the quantum state pab and the POVM 
M.ab, the measured state on the registers XY is entirely 
defined. On the other hand, the Holevo quantity can be 
directly calculated from the cq-state pxe that emerges 
after Alice's measurement of |\E') and after tracing over 
Bob's system. We write 



X(pab,M a ):= X (X :E) 



for the Holevo quantity implying that there is a step from 
Pab to I*). 

In the first theorem of this section we show that the 
classical mutual information I [pab, M-ab) is convex over 
Pab with fixed probability distribution p(x) = tv{A x pA}- 
We call this feature "weak convexity" to indicate that 
convexity only holds with the restriction on p(x). 

Theorem 1 (Weak convexity). Given the states 
Pab, °~ab and the convex sum Pab — Xpab + (1 — X)o~ab 
for X G [0, 1] with probability distributions p(x, y) — 
tr{Ar ig) By pab}, q(x,y) = tr{A x eg) B y oab) and 
p(x, y) — Xp(x, y) + (1 — X)q(x, y) . If the probability dis- 
tributions satisfy p(x) = q{x) for all x, then the mutual 
information is convex in the sense that 

I(pab,M ab ) < \I(pab,M ab ) + (1 - X)I{a AB ,M AB ). 

(20) 

The proof of this theorem is given in appendix |B| 

Second, we show that the Holevo quantity x{pab, M^) 
is concave as a function of pab- 

Theorem 2 (Concavity). Given the states pab, o~ab 
and the convex sum Pab — ^Pab + (1 — X)o~ab f or 
X G [0, 1] . Then, the Holevo is concave, meaning that 
it satisfies the property 

X {PabMa) > Xx(pab,M a ) + (1 - X) x {°abMa)- 

(21) 

The proof of this theorem is in appendix [C] 

Since we use postselection in our protocols, we need to 
extend these theorems to hold for the key rate f(E (pab)) 
in the following sense 

r(£(p A B)) < Xf{£{pA B )) + (1 - X)r{£(a AB )). (22) 



pie, under certain postselection strategies, the restriction 
p(x) = q(x) in theorem [l] may be violated. We will show 
later that for sifting on orthogonal basis states, the con- 
vexity property (22) holds. 



Third, we show how I(pab,M-ab) and x(pab,^-a) 
change under unitary transformations of the input state 

PAB- 

Lemma 1 Given the states pab and gab = U ® 
V PabU^ <£) V"f. The mutual information and the Holevo 
quantity transform as follows: 

I(oabMab) = I(pab, ® V^MabU ® V) (23) 
X^abMa) = x(pab, U^M A U) (24) 



where we define the sets 

U^M A U := {U^A X U} 
V^M B V := {V^ByV} 

and the set 



(25) 
(26) 



( 19 ) <g) M AB U<Z>V:={U^ ® V\A X ® B y ) U <g> V^}. 



(27) 



The proof of this lemma is based on the cyclic property of 
the trace, and that the von Neumann entropy is unitarily 
invariant: S(UpW) = S(p). 

This lemma will prove useful in the next section, where 
we identify U and V with the unitary representations of 
the symmetry groups governing A x and B y . 



V. SYMMETRIES IN PROTOCOLS 

In this section we introduce a scenario, in which the set 
r can be reduced to a set T, which contains only states 
with a certain symmetry corresponding to the symme- 
tries of the signal states. 



A. Symmetries of the signal states and 
measurements 

Let G be a group with a unitary representation 
{U g \g € G}. A set of states S is G-invariant, if for all 



states \<p x ) € S and all g € G the state 

\Pg(x)}{<Pg(x)\ : = U g \(fi x )(ip x \U f g 



(28) 



is also in S. Here the index g(x) denotes the index of the 
state Ug\(p x ). The following lemma describes the symme- 
try properties of the POVM elements A x and the reduced 
state pa in the source replacement picture O ffl) : 



Lemma 2 If the initial probability distribution p(x) is 
uniform (p(x) = 1/|S| for all x) and the signal states are 
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G -invariant, then the set of POVM elements A a 
reduced state pa are G* -invariant, namely 



U*A a 



UT =A 



U>aU, 



sO)> 

PA- 



and the 

(29) 
(30) 



The symbols * and T denote the complex conjugate and 
the transpose with respect to the fixed Schmidt basis B. 

We prove lemma [2] in appendix [DJ Note that, with 
our particular definition of * and T with respect to the 
Schmidt basis, the operators U* and Uj are well-defined. 

In the following, we consider only protocols in which 
Bob's measurement operators B y are equipped with the 
G-invariance 

U g B y Ul = B g[y) . (31) 



B. Parameter estimation with symmetries 

The symmetries in the signal states alone do not guar- 
antee that the optimal eavesdropping attack is symmet- 
ric. Moreover, the observations and the post processing 
of the measured data also need to satisfy certain symme- 
try criteria. 

In many protocols only averaged measurement quanti- 
ties are kept for the parameter estimation. For example, 
often only the quantum bit error rate (QBER) averaged 
over all the signal states is monitored. In this section, 
and for the rest of this paper, we consider the scenario 
where Alice and Bob only keep averaged measurement 
quantities, and where the initial probability distribution 
p(x) — 1/| S| of the signals is uniform. In this scenario, 
Alice and Bob calculate a linear function Q of the prob- 
ability distribution p(x, y) with the invariance property 

Q\p(x,y)] = Q\p(9(x),9(y))] VjeG. (32) 
where the distribution 

p(g(x), g(y)) = t?{A g{x) ® B g{x) p AB ) (33) 

is generated by relabeling the POVM elements A x <£> B y 



by A 



B 



g(y)- 



Later on, we will identify Q with the 



average error rate. 

From now on, Alice and Bob's knowledge about pab 
is solely described by the average quantity Q instead of 
the more detailed distribution p(x,y). In the previous 
section the set of all states that are compatible with the 
measurement data was the set T in Def. [T] Now, since the 
average quantity Q is a coarse-grained version of p(x, y), 
the set of states which are compatible with Q, r avo , is a 
superset of T, containing all states of the form 



Pab 



U* q ®U gPAB {U* q ®U g y VgeG, 



(34) 



where pab € T. The states p^B have the properties that 
(i) they are compatible with Q, and (ii) their reduced 

state ^b{p^ab^ IS ec inal to pa- 




Weak convexity of r 

* (t 




FIG. 2: By only using averaged measurement quantities Q 
for parameter estimation, the set F is replaced by a bigger set 
r ave . Using the weak convexity of the key rate, the optimal 
attack can be chosen from a symmetrized set T. 



Let us now define a map that takes a bipartite state 
Pab and "symmetrizes" it with respect to the group G 

by averaging over all the Pab ■ ^ n the literature this map 
is commonly known as twirling, 



T G [pab] = PAB 



1 

W\ 



gee 



(35) 



where \G\ is the number of group elements in G. Due to 
the linearity of Q, r avc also contains all the states pab- 
The twirling map T G maps the set r avo to a subset, T, 
which contains only states of the form Pab- Each pab 
has the property that it commutes with all U* ® U t 



g- 



[pAB,U;®U g ] -0 VgeG. 



(36) 



The purification of a twirled state pab can be chosen to 
satisfies the following invariance: 



U* ®U g ®U g ® 17* |*) = |*) V.9 G G. 



(37) 



The existence of this particular choice of the purification 
has been proven in Rcf. [T7] for permutation groups, but 
the same proof holds for arbitrary groups as well. 



C. Symmetric attack 

One can restrict the search for the optimal attack p°£ B 
to a search over the set T, provided that the key rate of 
the particular protocol satisfies the convexity property 



f{£(pAB)) < 



1 1 gee 



))■ 



and the invariance property, 
?(£(pab)) 



(38) 



(39) 



under the corresponding symmetry group G. In this sit- 
uation, p° A V g results from a symmetric attack and must 
lie in the subset f C r avc with the key rate given by 



inf r(£ (pab))- 

PAB^T 



(40) 
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In Fig. [2] we represent schematically the transition 
from r to I\ The symmetrized states Pab are easily 
characterized using tools from representation theory. In 
appendix [Ej we show how to obtain pab using Schur's 
lemma. 

In summary, in order to evaluate the key rate over the 
symmetrized set T, the protocol needs to exhibit suffi- 
cient symmetries, both in the quantum phase and in the 
classical phase: 

1. Symmetries in quantum phase: the set of signal 
states S and Bob's POVM elements B y are G- 
invariant, and the a priori probability distribution 
p(x) is uniform. 

2. Coarse-grained parameter estimation: Alice and 
Bob restrict themselves to averaged measurement 
quantities Q in the parameter estimation. 

3. Convexity and invariance of the key rate: the key 
rate f(£ (pab)) satisfies 

(a) convexity r(£(p AB )) < jh\T, g eG f ( £ (pAB))' 

(b) invariance f(£(p AB )) = ^(Pab))- 

In particular, the convexity and invariance properties de- 
pend strongly on the postselection procedure and must 
be checked for each protocol independently. 



D. Examples of protocols with symmetric optimal 
attack: orthogonal bases as signal states 

Let us now construct a class of protocols where the 
set of signal states contains only complete sets of basis 
states, and where Alice and Bob postselect on events they 
measured in the same basis. This postselection is com- 
monly referred to as sifting. We will show for this class 
of protocols that the convexity ( 38 ) and invariance ( 39 ) 
of the key rate always holds. Therefore, by choosing to 
keep only the average error rate Q (defined below) for 
the parameter estimation, the optimal attack can always 
be assumed to be symmetric. 

First, we define the signal states and the measure- 
ments. Let us denote a basis of a d-dimensional Hilbcrt 
space by Bp — {\f(0.k)) : k = 0, ...,d— I}, where (3 is the 
basis index. Note that, in the following the states \<f(p t k)) 
carry two independent indices (/?, fc) instead of only one. 
The set of signal states of each protocol is then identified 
by 



Sc = {Bp : P € £}, 



(41) 



where C is the set from which the bases f3 are drawn. For 
each protocol the set C is fixed and contains \C\ elements. 
If each signal state | is chosen with equal a priori 

probability p(B, k) — l/(d ■ \C\), Alice's reduced state pA 
in equation Q is proportional to the identity p \ = 1 / d. 



Therefore, Alice's POVM elements in equation ^ reduce 
to the projectors 



.4 



(42) 



with Iv^fc)) = J2i K)(V(/9,fe)l*) defined in equation |5| 
Furthermore, we construct Bob's POVMs to be isomor 
phic to Alice's: 



B, 



G8,*0 



\<P(P,k)){<P(P,k)\- 



(43) 



Second, Alice and Bob postselect on those measure- 
ment outcomes, which they performed in the same basis. 
In this particular case, Alice and Bob's announcement u 
is the basis (3. 

We show three properties in appendix[F|for these pro- 
tocols under post selection, which we will use to prove 
the convexity and the invariance of the effective key rate 
t(£(pab))' (i) The measurements conditioned on u are 
simply renormalized versions of the original POVMs: 



M^ = {|£| A {m :/3 = u} 
M u B = {\£\B i p tk) :p = u}, 



(44) 
(45) 



(ii) the filtered states are independent of u and satisfy 
Pab = Pab , and (iii) the probability distribution p(u) = 
At is uniform. Additionally, since p 4 = t/d and the 

is a von Neumann measurement, the marginals p u {x) := 
tr {K/3,fc)>(^(/3,fc)l^4} = 2 are uniform. 

Using the uniform marginals p u (x) in combination with 
theorem [TJ each term I(pab,M ab ) is convex in pab- 
Moreover, due to the uniform distribution of p(u), the 
convexity property immediately transfers to the convex 



I{£{ PAB )) = ^Y^^bMab) 



(46) 



Similarly, from theorem [2] we conclude that each term 
x(pabj^-a) i s concave in pab, which transfers also to 



(47) 



by the same argument. The convexity of the effective 
key rate ¥(£(pab)) now follows immediately form the 
definition in equation (16). 



Next, we show the invariance of r(£(pA B )) under the 
symmetry group G. Since any unitary acts like a basis 
transformation, the sets and effectively inherit 
the G*- and G-invariance from the individual POVM el- 
ements ^4(^,fc) and B^p k y More precisely, the sets 



M 



A 
£>(") 



U* g M u A Uj, 



(48) 

M B W :=U g M u B Ul, (49) 



are again POVMs corresponding to the announcement 
with index g(u) in the protocol. 



Using the definitions ( 48 ) and ( 49 1 , and applying 
lemma [I] each component of r(E (p AB )) transforms as 
follows under unitaries: 



I(p 

x(p 



(U g ) i\/r9(«) 
AB ' 1V MB 

(U 3 ) 



I(p AB ,M AB ) 



ab M b a {u) )=x{pabMZ 



(50) 
(51) 



Due to the uniform distribution of p(u) and the G*- and 
G-invariance of the POVMs, the invariance property of 
the convex sums I{£(pab)) and x(£(pab)) as well as 
f(£{pAB)) follows directly. 

In summary, if the average error rate Q in dcfinition[2]is 
used in the parameter estimation, the optimal attack lies 
in the symmetric subset f for this class of protocols, and 
the key rate r m i n can be calculated according to equation 
( 40 1 without loss of generality. 



Definition 2 The average error rate is the probability 
that Alice sent the signal state \(p(p,k)), but Bob received 
an orthogonal state \(p(p t k')) (k' =/= k), averaged over all 
k and all bases (3 



p 



\c 



(52) 



Pec 



where is the average error rate found in each basis 
QP = ^2 tr {l^(/J,fe))(^,fc)l ® \V{p,k')){V{p,k>)\pAB^ , 



k,k' 
k'itk 



and \C\ is the number of bases in the set C 



(53) 



The average Uhlmann fidelity of Bob's states with re- 
spect to Alice's signal state is defined as 



FB = \C\ 5ZXl tr {l^(/3,fe))K/3,fc)l ® \V(^k)){V(^k)\PAB^ 

(54) 



pec k 



With the definition of Q above, Fg and Q are related by 
the simple relation F B = 1 — Q- 



VI. QUANTUM CLONERS 

A quantum doner is a map that creates two copies of 
quantum states tp x — \ip x )(ip x \ drawn from a set S. Let 
us define three isomorphic Hilbert spaces Ha, H b and 
He each with dimension d. A doner C is a completely 
positive and trace preserving map C : Ha — > W B ® He 
that takes a state <p x € Ha to C(<p x ) £ Hb <8> He- The 
quality of each copy k (k — B, C) is determined by the 
single-clone Uhlmann fidelity fk(f x ,C((p x )) of the copy 
with respect to the original state ip x . If the states ip x are 
pure, the Uhlmann fidelity reads 

f B {!Px,C{(p x )) = tr{\tp x ){(p x \ B ® l c -C{tp x )} (55) 
fc{<Px,C(ip x )) = tr{l B (g> \(p x )(ip x \c ■ C{(p x )} (56) 



Instead of fk(<Px, C(f x )), it is often assumed that only 
the average fidelity 



Fk = i^T fk(<Px,C{ip x )) 



(57) 



is of interest. The doner is called optimal if copy C 
emerges with maximal average fidelity (Fc), while the 
fidelity F B of the copy B has a fixed value. 

The cloning transformation can also be described us- 
ing the Choi-Jamiolkowski isomorphism with a non- 
maximally entangled state. For this purpose, let C act 
on the second half of a source state | $) defined in equa- 
tion ([!]). This relates C to a positive operator oabc S 
Ha ®Hb® He via the rule 



oabc = (1®C)I*)(*I- 



(58) 



The trace-preserving property of C translates to a a — 
ti'sc o~ abc — PA, where pa is the reduced state of the 
source state |<&) given in equation Q. From a abc the 
map C can be recovered through the reverse transforma- 
tion realized by 



C(ip x ) 



p(x) 



tr A [A x (g) 1 B ® lc ■ oabc] 



(59) 



where the A x are the POVM elements defined in equation 
(§. The reverse transformation effectively corresponds 
to preparing the states \tp x ) in the source-replacement 
scheme for the doner. 



A. Covariant doners 

We now give a description of quantum doners based on 
the work of Refs. [HI HE] • Let the set of quantum states 
S is G- invariant. If the figure of merit is the average 
fidelity, then for every cloning map oabc, the "rotated" 
maps 



U* <E)U g <E> U g (JABc(U* <E)U g <E) U g y 



(60) 



for 5 e G yield the same average fidelity Fk as oabc- 
Furthermore, due to the linearity of the trace, there exists 
a covariant cloning map 



OABC = U *9 

gee 



Ug ® Ug<JABC(U; ®Ug® U g^ (61) 



with the same average fidelity Fk as oabc- As a conse- 
quence, we can always choose the cloning map to be a 
covariant map, without loss of generality. The covariant 
state in equation (61) satisfies the commutation relation 



[OABC, UZ ® Ug ® Ug] =0. 



(62) 
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B. Strong covariant doner 

In this section we describe a subset of cloning maps 
with a stronger symmetry than the covariant doners, 
called strong covariant doners. 

The unitary realization Uc of the map C can be 
uniquely described by the purification of <jabc on the 
extended Hilbert space "H® 6 . This unitary realization 
requires three ancillas. Some doners, however, can be 
realized using only one ancilla D, with Uc now acting on 
a smaller space Ha ®%b® He ® Hd ■ In [9] , these don- 
ers are called strong covariant doners and are defined as 
follows: 

Definition 3 A doner is called strong covariant if it has 
a purification \Y>)abcd on Habcd with the property 

U* g ®U g ®U g ® U;\T)abcd = \Z)abcd Vg e G. (63) 

It is easy to see that the strong covariant doners are a 
subset of the covariant doners: for every strong covari- 
ant doner |E), tracing over the fourth system returns a 
covariant state oabc- 

Since the set of covariant cloning maps <j abc is a con- 
vex set and the fidelity is a linear functional of the cloning 
map, the cloning problem is a convex optimization prob- 
lem [9]. The optimal doner is an extremal point of the 
convex set, that means, a map that cannot be written as 
a convex sum of other maps in the set. We want to find 
the extremal map with the maximal clone fidelity. In [§] , 
two theorems about extremal maps are given: 

Theorem 3 (Chiribella et al. [9]). Let U g be an ir- 
reducible representation of the group G, and let K — 
{&abc} denote the set of covariant cloning maps with 
respect to G according to equation \6%fy . Then, every 
cloning map a abc, which allows a strong covariant pu- 
rification is an extremal point of the convex set K . 

This theorem states that the strong covariant maps are 
a subset of the extremal maps. The converse - that the 
extremal maps are a subset of the strong covariant maps 
- is not true in general. The next theorem, however, 
describes a special case in which the set of extremal maps 
and the set of strong covariant maps coincide: 

Theorem 4 (Chiribella et al. f^j). If the set of states 
S to be cloned is G-invariant under the generalized Pauli 
group 11^, then the set of strong covariant cloning maps 
is equal to the set of extremal maps. 

Theorem [4] allows to restrict the search of the optimal 
doner to strong covariant maps based on the symmetries 
of the signal states alone. In section |VII A| we give the 
definition of the generalized Pauli group. 

VII. CONNECTION BETWEEN OPTIMAL 
CLONERS AND OPTIMAL ATTACKS 

We identify the optimal attack in QKD with an op- 
timal doner if Eve's interaction [/p pt coincides with the 



optimal cloning transformation U c pt , or, in terms of the 
purifications, if |*) opt = |E) opt . The optimal attack is 
always chosen from the set of purifications A defined as 
follows: 

Definition 4 We define by A the set that contains the 
purifications of the symmetrized states in T. All 
states in A satisfy the symmetry condition U* ® U g <£> 
Ug ® U* |\&) = |W) for all g £ G, and they are compatible 
with the averaged quantity Q and fixed pa ■ 

We observe that all eavesdropping attacks represented 
by the set A correspond to representations of strong co- 
variant doners. We can therefore make the following 
conclusion: 

Observation 1 The optimal doner can only be the opti- 
mal attack, if it is strong covariant. Otherwise, one can 
already conclude that ^ |S)°p*. 

At this point, the strong covariance property alone 
does not uniquely determine if the optimal attack is an 
optimal doner. Even if the optimal doner is strong co- 
variant, we can only conclude that the optimal attack is 
an optimal doner if the set A contains exactly one state. 
Otherwise, in order to compare the optimal attack with 
the optimal doner, we must perform the optimization. 

A. Pauli-invariant signal states 

As mentioned in theorem [4j a sufficient requirement 
for a cloning map to allow a strong covariant realization 
is the Pauli-invariance of the set of states to be cloned. 
Hence, if the signal states of a QKD protocol are Pauli- 
invariant, the corresponding cloning attack on that pro- 
tocol is certainly realized by a strong covariant doner. 
Therefore, we will focus our attention on protocols with 
signal states that are Pauli-invariant. 

First, let us define the generalized Pauli group 

Definition 5 The generalized Pauli group II^ in d di- 
mensions has d 2 elements. The set of unitaries 

d-i 

U r , s = ^u ks \k + r)(k\, w = e 2 ™ /d , (64) 

k=0 

for r, s = 0, ...,d — 1 form an irreducible unitary repre- 
sentation of lid on a d-dimensional Hilbert space. The 
group has two generators 

Z := U ,i, X := U lfi (65) 

which generate the entire group by the following relation: 

U r , s =X r Z s r,s = 0,...,d-l. (66) 

A state pab that commutes with all U* s (g> U ryS is Bell- 
diagonal 

d-l 

Pab = ^2 u r ,s\Ur, s ){U rt s\, (67) 

r,s— 
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with eigenvalues u r )S > that satisfy 
eigenvectors 



->i*> 



1. The 



(68) 



are called Bell states and form a maximally entangled 
basis of W® 2 . As shown in Refs. [H [S], the gen- 
eral form of the purification of pab is given by = 



s )\U r ^d-s) ■ Since U rtS is an irreducible rep- 



resentation, we can use Schur's lemma in appendix [E] to 
characterize the reduced state pa = \, which is propor- 
tional to the identity. 



VIII. EXAMPLES WITH MUTUALLY 
UNBIASED BASES 

Mutually unbiased bases (MUBs) , which were first in- 
troduced in Refs. [HI [20] , are a common choice for the 
signal states of QKD protocols. For example, in the 
qubit space, the BB84 and the 6-state protocol use 2 
and 3 MUBs, respectively. In higher-dimensional Hilbert 
spaces, MUB protocols have been studied in Refs. |U- 

i minim]- 

MUBs are orthonormal bases B a = 
{\ipf}, \ip2 ))•••, iV'd-i)} 011 d-dimensional Hilbert 
spaces with the property \{tp% \ip%, )| = ^ for all 

k, k' = 0, d — 1 and a =/= a' . In Ref. [23], it was shown 
that when d is a prime number, there exist exactly 
d + 1 MUBs. The eigenbases of the generalized Pauli 
operators Z and XZ 13 for f3 = 0, ...,d — 1 form such 
MUBs 24J . The eigenbasis of the operator Z is denoted 
by the standard basis with the index Z, 



Bz 



|Vf ),-., IVf-i)}, 



l^k> = lfc>, 



(69) 
(70) 



and the eigenbases of the operators XZ@ with indices 
P = 0,...,d-1 by 



B ={\4),\4),...,\r d -i)}, 



d-1 



|y>£> = -^E^"^'>> 

3=0 



(71) 
(72) 



where Sj = \{d — j)(d + j — 1), u> — e 27 ™/ d , and where |j) 
are the basis vectors of the standard basis Bz- 

Let us now consider protocols where the set of signal 
states Sc contains any subset of these d + 1 eigenbases. 
In a slight generalization of the result of theorem 2.2 in 
|24j . we can show that the action fo any Pauli opera- 
tor U r , s on the eigenstates of the Pauli eigenbasis B a for 
a € {Z, 0, 1, d — 1} permutes the eigenstates without 
changing the basis index a. Using this invariance, the set 
of signal states S£ of any such protocol are also Pauli- 
invariant. 



Unfortunately, the full symmetry groups of the sets Sc 
are not known explicitly. Thus, one cannot simply write 
down the general form of the symmetrized states Pab € 
f. However, in a first step, we can exploit the invariance 
of the set Sc with respect to the generalized Pauli group. 
This partial symmetry implies that the optimal attack 
Pab mus t ue i n t ne subset TboIi containing only Bell- 



diagonal states defined in equation ( 67 1 



Let us, therefore, calculate the key rate ( 16 ) for MUB 
protocols with Bell-diagonal states pab- For this pur- 
pose, we require the eigenvalue spectrum of each condi- 
tional state on Bob's side for a € {Z, 0, 1, d— 1}, 
given that Alice obtained the measurement outcome cor- 
responding to the state \ip^)- We project Alice's system 
of the Bell state onto \ipl. a ) and divide the result by a 
normalization constant N: 



(a,k) 

Pb 



,{r k a \u r , s ){u r , s \r k a )/N. (73) 



In the following, all operations are modulo d, and in par- 
ticular, the indices are to be understood modulo d. The 



overlaps in ( 73 1 are found to be 



{r k Z \U r ,s) = ^ k - r)s \k-r) 

l,*P\TT \ —_ 1 ,,,-fcr-4(r-r 2 )|^/,/3 



(r k p \u r . 



Vd 



fc-(s+/3r)' 



(74) 
(75) 



for Z and for (3 <E {0, d— 1}. After reinserting the over- 
laps into ( 73 1 and using by N — -j , we do an index substi- 
tution y = s + (3r in ( 75 1 to obtain the following expres- 
sions for the conditional states for a € {Z, 0, 1, d — 1} 



p { B k) = Y. x v\r k -y)m- 



(76) 



The set of eigenvalues A Q = {Aq , A", A^LjJ for each 
p^g'^ is independent of the index k with the specific val- 



X y ~ E u V' r 
r=0 

d-1 



y-pr 



for Z (77) 
for/3 g {0,...,d- 1}. (78) 



r=0 



The average error rate, the mutual information and the 
Holevo quantity ( p52"j [46] [47] ) can now be calculated using 
the eigenvalue spectrum 



Q = 1 -^E A o 



aec 



T(£(p A B))=log 2 d-^J2H(A a ), 



(79) 



(80) 



aec 



x(£(pab)) = S(pab) - ± E # ( AQ )> ( 81 ) 



aec 
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with the Shannon entropy H(A a ) = — Xy log(Xy) 
and the von Neumann entropy S(p) — — trplogp. The 
key rate ( 16 ) follows straightforwardly, 



r{£{pAs)) = logd- S(pab)- 



(82) 



For the special protocols with 2, d and d + 1 MUBs, 
we further confine our search for the optimal attack to 
smaller subsets T c Teen- The procedure is essentially 
the same as the one we used in section[V]to reduce to the 
subset f from the set r ave . For each state pab in rBcib 



(Pi, 

AB i ' 



we generate an equivalence class of states {p 
1, n} by applying permutations Pi to the eigen valu es of 
Pab- In contrast to the states Pab m equation (34 1, the 
states p A g are not generated using the symmetry group 
of the signal states. However, since the key rate (82 1 is 



proportional to S(pab), all permuted states satisfy the 

(p ) 

invariance property f(E (pab)) — r(£(p A g)). Further- 
more, we chose the permutations in such a way, that the 
(p) 

Pab §i ye the same error rate as pab- This ensures that 

(p) 

the p A g are again in TboII- Consequently, since the con- 



vexity property ( 38 ) of the key rate holds for protocols 



with MUBs, we can conclude that the optimal attack is 
found in the subset T c TbcII containing only convex 
combinations, 

1 \ tp.) ~ 
P AB = n X^ Pab e r. 

i 

(p. \ 

Note that it suffices to check that the states p A g have 
the same average error rate Q as pab in order to be in 
the set TboII- We do not need to monitor the condition 
on pa, because pa = t/d is automatically satisfied for 
any Bell-diagonal state. 



a, b and c corresponding to the three sets U Q , Ub and 
U„ 



d-l 



Pab =a\U ,o){U ,o\+c \Ur, s ){U r , s \+ (84) 

d-l 

bJ2(\ U rfi){Ur,0\ + \ U 0,r)\U ,r))- 



Now we can use the average error rate condition Q = 
(d — l)b + (d — l) 2 c and the normalization condition 
a + 2(d — l)b + d 2 c = 1, to further reduce the num- 
ber of independent eigenvalues to only one. Through 
an (analytical) optimization of the key rate over the free 
eigenvalue, we find the following values for a, b and c that 
describe the optimal attack 



a = (l-Q) 2 , b 



Q(i-Q) 
d-l ' 



Q 2 



(d-iy 



(85) 



These are exactly the same that also describe the optimal 
phase-covariant doner in d dimensions [2]. The connec- 
tion between optimal cloning and the optimal attack for 
2 MUBs was already conjectured in [4]. The key rates 
for these protocols, which were independently obtained 
in Ref. [T3], are given by 



= log d + 2(1 - Q) log(l -Q) + 2Q log 



Q 



d-l 



They are plotted for d = 2, 3, 5, 7, 11, 13 in Fig. [3| Note 
that this plot is not intended to compare the perfor- 
mances of the different protocols. For a fair comparison, 
one must specify the channel model for which the key 
rates are drawn. 



2 MUBs 



B. d+lMUBs 



We describe here how to obtain the states pab € f 
for the example of the 2 MUBs protocol with the signal 
states Sc = {Bo,Bz}'- given a Bell-diagnoal states pab- 
As mentioned above, we generate the (Bell-diagonal) per- 

( p) \ I 

muted states p A g by keeping the error rate ( 79 1 of p A g 

invariant 



Consider protocols with the signal states Sc = 
{Bz, Bo, Bi, ...Bd-i}- In contrast to the case with 2 
MUBs, these protocols arc tomographically complete. 
With the same strategy as for 2 MUBs, we construct 
the set r for this situation: The error rate ( 79 ) of a Bell- 
diagonal state in this scenario is given by 



= 1 



\ w + a?; 



1 



d-l 



1 - 2 ( 2u °'° + X^ Ur '° + u °' r 

\ r=l 



The invariance of Q is guaranteed if the permutations 
Pi leave the sets U a = {uo,o}, Ub = {tio.r, Ur,o', t = 
1, d — 1} and U c = {u r s ; r, s = 1, d — 1} invariant. 
Such permutations Pi are, for example, independent per- 
mutations of the eigenvalues in each set. Therefore, in 
the convex combination pab, the average over all eigen- 
values in each set will appear. In this particular case, 
Pab has three different types of independent eigenvalues 



(d + l)u ,o + X! Ur ' s 

(r,*0/(0,0) 



(86) 



where we used the relation that for r ^ 0, the sum 

Ed— 1 ^-\d— 1 

p—oV>r,—f)r — 2^7=0 Ur -f 

U a = {ito.o} with one eigenvalue, and Ub = {u 
(0, 0)} with the remaining d 2 — 1 eigenvalues. Again, U a 
and Ub determine the form of the states in the set T, 
after averaging over all permutations Pi 



The error rate defines the sets 
: s,(r,s) ^ 



Pab = a\Uo,o}{Uo,a\ 



(r,a)#(0,0) 



U r , s )(U riS \. (87) 
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FIG. 3: Key rates of protocols with (a) d + 1, (b) 2 and (c) d MUBs for d = 2 (black), d = 3 (blue), d = 5 (purple) , d = 7 
(yellow) , d = 11 (green) and d = 13 (red). These plots do not serve as a comparison of the performance of the different 
protocols. 



In this situation, the average eigenvalues a and 6 are 
uniquely defined by the error rate Q = d(d — 1)6 and 
the trace condition a + (d 2 — 1)6 = 1 



1 



1 



Q 



d(d-l) 



As there is only one state in f for this protocol, the 
optimization of the key rate becomes trivial, and we can 
conclude that the optimal doner and the optimal attack 
are equal. This connection was already conjectured in [3]. 
The doner in this case is the optimal universal doner in 
d dimensions [5SJ For d = 2, we recover the the 6- 
state protocol, where the optimal doner is the universal 
doner [27], which clones all the states on the Bloch 
sphere equally well. The key rates of these protocols are 
given by 



logd H — Q log 



d(d-l) 
d+l„\, ( d + l„ . 
1 d~®J 8 ( 1 d~® ' ' 



(89) 



as independently shown in Ref. [T3]. We plot the key 
rates for d = 2,3, 5, 7, 11, 13 in Fig. [3] Again, the plot is 
not intended to compare the performance of the proto- 
cols. 



d MUBs 



The signal states of protocols using d MUBs are = 
{Bq, Si, ...Bd-i}- Unlike the protocols with d MUBs, the 
protocols analyzed here are not tomographically com- 
plete. The error rate 



d-l d-l 



(90) 



r=0 s=l 



defines three sets U a = {«o,o}, Ub = {u r s ; r = 0, d — 
1, s = 1, d— 1} and U c = {uq^ s ; s = 1, 1}, which 



determine the form of pab € r 



d-l 



s=l 



Pas =a|C/ ,o)(C/o,o|+c^|C/o, s )(f/o, s |+ (91) 

d-l d-l 



r=0 s = l 

The eigenvalues a, 6 and c are further constriced by the 
normalization condition a + d(d — 1)6 + (d — l)c = 1, and 
the error rate condition for p^s Q = (d— l) 2 b+(d — l)c. 
We can express two of the three eigenvalues by 

Q-(d-l) c 
fl=1 + C -rf^I &= (d-l)a • (92) 

We perform an optimization of the key rate over the free 
eigenvalue c, and plot the numerically obtained key rates 
r min m Fig- [3] for different dimensions. 

We compare the optimal attack to the optimal multi- 
ple phase-covariant (MPC) doner <7mpc given in Ref. 
|28j . This doner copies all states of the form \ip) = 

1 v-^ d ~ 

Vd ^j=o 



e i<t>j |j) f or (j). ^ [o, 27r) optimally. If it is known 
that the eavesdropper performed an attack based on the 
optimal MPC doner, Alice and Bob can expect some key 
rate tmpc- Numerical optimizations for d = 3,5,7,11 
and 13 show that tmpc is always bigger (or equal) than 
the key rate r m i n . Therefore, the optimal MPC doner 
is not the optimal attack: E/mpc U^ 1 . In Fig. [4] we 
plot the difference between the key rates ^mpc — f„i„, 



and the difference between the fidelities F^ PC 



where FJf tack 



F 'attack 
E 



is Eve's fidelity when using the 



for d = 3, 
optimal attack. 

We would like to remark that the Umpc produces op- 
timal copies of more than just the necessary d MUBs. 
It is possible that there exists a doner Ud that provides 
copies of the d MUBs with a higher fidelity (for fixed 
error rate) than C/ MPC : F% > Fjf PC . This raises the 
question, if the doner Ud could be the optimal attack 
'. To answer this, we turn the question around and 
ask from the cloning point of view, whether the opti- 
mal attack C/^ pt can play the role of the optimal doner 
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events in the same basis. These protocols were already 
described in section VP We denote the average error 
rate for each protocol by Q and Q' . Let us denote Alice 
and Bob's POVM elements by A x and B y for the protocol 
P and by A' x , and B ' , for the protocol P' which are given 



in equation (42 1 and (43). The POVMs conditioned on 



the basis announcement u given in equations ( 44 ) and 
( 45 ) are denoted by and for protocol P and by 



M'^ and M'^ for protocol P' . The sets characterizing 
the possible symmetric attacks are denoted by T and T". 
We also define the set of twirled states as follows 



(b) 




u 0.00020 „ 
o 

S 0.00015 1 

■■B 0.00010 - 

^ 0.00005 1 
"3 

E 0.00000 

0.0 0.1 0.2 0.3 0.4 o.5 0.6 
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FIG. 4: (a) A plot of the difference of the key rates Sr = 
riKPC — fmin for the scenarios where Eve uses the optimal 
cloner (t-mpc), an d where she uses the optimal attack (r m i n ) 
for d = 3. (b) A plot of the difference of the fidelities SFe = 



rriMPC 



^■attack for the scenarios where Eve uses the optimal 



MPC cloner and where she uses the optimal attack 

(Fl ttack ) for d = 3. 



Definition 6 The sets of all twirled bipartite states pab 
with respect to the group G is 

T G = {T g [ P ab]\pab eHa®H b }- 

The following theorem states the criteria under which 
two protocols have the same optimal attack. 

Theorem 5 If the following three conditions are satis- 
fied, the protocols P and P' have the same optimal attack 

(I) Tg = Tc • 

(II) The average measurement quantities Q and Q' pro- 
vide the same constraints on all Pab in Tq and 



(III) There exists a third group H with a representation 
{Wh\ h £ H}, such that G and G' are subgroups of 
H , with the following properties: 



Ud- For this purpose, we compare Eve's fidelity i^|; ttack j 
when she used the optimal attack to the fidelity F^, when 
she used Ud- We know from our numerical optimization 
how ^ttack com p ares to F^ PC : we plotted the differ- 



ence F| IPC 



pat tack 



Fig. 51 From this plot we see 

~ Z7 1 A t t ack U ATirm mv lj-n attt 



that, in general, F^ PC > p'^ &ck _ However, we know 
by construction of U d that the fidelity F% > F^ PC . By 
transitivity it follows that F^ > F^ tt&ck , which proves 
that the optimal attack is not equivalent to the optimal 
cloner U d either. 

In table U we summarize the results obtained for the 
MUB protocols. It turns out that in general the intuition 
that the optimal attack is always an optimal cloner proves 
wrong, as can be seen for the protocols with d MUBs. 



IX. CLASSES OF PROTOCOLS WITH THE 
SAME OPTIMAL ATTACK 

We observe that for certain protocols with different sig- 
nal states, the same attack p A p ^ is found to be optimal. 
Given two protocols P and P' with sets of signal states 
S and S' that are G- and G'-invariant, respectively. We 
consider only protocols where the signal states are or- 
thogonal bases, and where Alice and Bob postselect on 



(a) T H =T G = T G -, and 

(b) for all POVM elements A x £ M A and A' x , E 
M' a there exists a Wh( x ,x') ^ n H such that 



\£\ 2 w* h{XjXl) A x wT {x<xl) 



= \C'\ 2 A' 



(93) 



Note that \IIIb\ automatically implies the relation 
\C\ 2 W h ^ xl) B x wl {x xl) = \C'\ 2 B' X , for Bob's mea- 
surement operators B y defined in equation (43). 



Proof. We show that the optimization of the key rate 
in equation ( 40 ) leads to the same optimal p°£ B for both 
protocols. There are two parts to the proof. First, from 
Q and Q it follows that f = f ' by definition. There- 
fore, the set over which the key rate is optimized is iden- 
tical for the two protocols. Second, we show that the 
mutual information I(£(pab)) and the Holevo quantity 
x(£(p~ab)) in equations (46 47) are identical for both 



protocols for all states in the set T. We show this for the 
example of the mutual information, but the same argu- 
ments apply to the Holevo quantity as well. 

As a starting point, we switch to the language where 
the unitaries act on the sets and instead of the 
individual elements A x and B y . The action of each uni- 
tary U on the A x and B y defines uniquely the action 
of the same unitary U on and Mg by the relation 
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TABLE I: Summary of optimal attack of protocols using MUBs in d dimensions. For the protocols where the optimal attack 
is an optimal doner we put a checkmark (/). Where the optimal attack is not an optimal doner we put a cross (x). The 
numerical optimizations cover the cases of d MUBs up to d — 13. 











Number of MUBs 








Dimension 


2 MUBs 


3 MUBs 


4 MUBs 


5 MUBs 


6 MUBs 


d MUBs 


d+1 MUBs 


2 


/ 


/ 












3 


/ 


X 


/ 










5 


/ 






X 


/ 






d 


/ 












/ 



in (25 



relabe 



26). This correspondence allows us to uniquely 



Wh(x.x') by W/,( Ui „'), where u and v! are the ba- 



'i(u,u') 



sis announcements found in P and P', respectively. We 



can now restate (Ilia) and say that there exists unitaries 
Wh( u ,u') f° r au pairs (u,vf) such that 



M 



w hM miwl (uur) -^ B 



M 



(94) 
(95) 



Furthermore, for a fixed u in P, there exist unitaries 
w h(u ,u) = W h {u,u') W h(u',ua)> connecting all u in P to 
the fixed uq- Similarly, there exist unitaries W^u'g.u') 
connecting a fixed u' to all u in P'. Using the invari- 
ance p AB = W£ ® W h p AB (W£ ® W h Y for all W h G H 
and lemma [TJ the total mutual information of P and P' 
satisfies the following 



I(£(pab)) = ^ J2i(pab,Mab) = I(pabM7b), 

|Z -! u=l 

1 !£J 

I{E\pab)) = r^T, E HpabMab) = I(pabM U a°b)- 



u'=l 



A similar statement can be made for the Holevo quantity 
as well. 

Since there exists also a unitary Wh( Uo ,u' )i we can con- 
clude that 



I(p AB ,M%) = I(p AB ,M' u A ° B ) 



(96) 



from which we conclude that I(£(/5ab)) — !(£' '{Pab)) 
Again, a similar statement holds for the Holevo quantity. 

It follows now that the same function f(£ (pab)) = 
r{£' '(pab)) appears in the optimization of protocols P 
and P' . Since these are now identical optimization prob- 
lems, they must have the same solution, and therefore 
the same optimal attack. ■ 

We will give some examples of protocols with the same 
optimal attack in the next section. We analyze qubit 
protocols, where we can make use of the point group 
symmetries, which are commonly used and well studied 
in the field of crystallography. 



A. Protocols with the same optimal attack as the 
6-state protocol 

The signal states of the 6-state protocol form a regu- 
lar octahedron in the Bloch sphere representation. The 
symmetry group G that maps an octahedron onto itself 
is the discrete group O with a unitary irreducible repre- 
sentation on the qubit space. A symmetry group G' that 
satisfy the criterium p|) in theorem [5] is for example the 
icosahedron group / [291 ED] • 

We can now construct protocols with signal states that 
are invariant under O- or /-symmetry. For example, 
let us examine protocols, where the signal states form 
a cube (O-symmetry), a dodecahedron (/-symmetry) or 
an icosahedron (again /-symmetry) on the Bloch sphere, 
consisting of 8, 20 and 12 states, respectively. For each 
state there exists an orthogonal state on the opposite side 
of the Bloch sphere. See Fig. [5] for a representation of 
the signal states of the 6-state and the cube protocol. 

The average error rate adopts the same form for all 
these protocols, namely, Q = 26, where b is defined in 
equation (87). Therefore, condition (|ll| in theorem [5] is 
also satisfied, and we conclude that the sets f for these 
protocols are identical to the set given in the case of the 
6-state protocol. Since there is only one state in T for 
the 6-state protocol, we can already conclude that the 
optimal attack of the 6-state, the cube, the icosahedron 
and the dodecahedron protocols are the same, which was 
already established to be the optimal universal doner. 



B. Protocols with the same optimal attack as the 
BB84 protocol 

We analyze protocols with 2n (n > 2) signal states 
|^>ar)j that are distributed equally in the equatorial plane 
of the Bloch sphere, represented by the Bloch vectors 

4 2n) = (sin(7ra/n),0,cos(7rx/n)) x = 0, 2n - 1. 

(97) 

For each state \ip x ) there exists an orthogonal state \<p x ) 
on the opposite side of the Bloch sphere, which together 
form a basis. For n — 2, we recover the signal states of 
the BB84 protocol. In Fig. [6] the signal states of the 
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(a) 





FIG. 5: Representation of sets of signal states on the Bloch 
sphere related to the 6-state protocol, (a) States that are 
invariant under SU(2) (b) States of the 6-state protocol (Oc- 
tahedron), invariant under O-symmetry, (c) States of the cube 
protocol, invariant under O-symmetry. 



FIG. 6: Representation of signal states on the Bloch sphere 
for protocols related to the BB84 protocol, (a) States that 
are invariant under Daa (b) States of the BB84 protocol, 
D4-symmetry (c) States of the 2n protocol for n = 3, De- 
symmetry 



2n protocols for n — 2, 3 are represented on the Bloch 
sphere. 

The symmetry group of the signal states of the 2n- 
protocol is called the dihedral group denoted by D 2n - In 
the multiplication tables of Rcfs. [291 130]) we find the 
form of the set Td 2 „ f° r n — 2,3. It turns out that 
Trj 6 = Td 4 , where Tn 4 contains the symmetrized states 



of the BB84 protocol given in equation (84| for d = 2. 
The error rate Q = b + c of the 2n-protocol with n = 3 
is the same as for the BB84 protocol, where b and c are 
defined in equation ( 84 ) . Thus we can conclude that 

T6 = T4 = TbB84- 

Let us define Alice's POVM elements of the BB84 and 



the 2n-protocol by A x Bm ^ for x 



1, ...4 and A ( 3 n) for 



x = l,...,2n. In both cases, the POVM elements are 
projectors onto the signal states. We can identify the 
group H in theorem [5] by the phase-covariant symmetry 
group -Doo = U(l) x n 2 , where II 2 is the Pauli group of 
dimension 2 and ?7(1) is the unitary group. In the tables 
of Ref. [3D], we find that the set Trj^ is identical to 
Tj3 4 and T£> 6 . The phase-covariant group contains all 
rotations about the axis (0, 1, 0) on the Bloch sphere, as 
well as rotations by n about all axes lying in the [x, z)- 
plane. Thus, it also contains group elements that satisfy 
(Illbl of theo remj sjfor any pair A x BB8i ^ and A^ n \ Since 
all criteria of ( |III[ ) are satisfied by , the optimal attack 
for the 2n-protocol for n = 3 can be identified by the 
optimal phase-covariant doner, which is also the optimal 
attack of the BB84 protocol. 



C. The cuboid protocol 

For some protocols with tomographically complete 
measurement settings the set T contains more than one 
state. This has to do with loss of information during 
the symmetrization process. Recall that Alice and Bob 
only keep the averaged quantity Q, but otherwise ignore 
the measurement outcomes completely. This means that 
introducing symmetries to a problem can come at the 
expense of increasing the number of states in T. 

As an example consider a qubit protocol where the 
signal states lie on the corners of a rectangular cuboid. 



The signal states are specified by the Bloch vectors 

s x = (±sin0,±cos0,O) (98) 
s z = (O,±cos0,±sin0), (99) 

where 9 describes the angle between the (0, y, 0)-axis of 
the Bloch sphere and the corners of the cuboid. This 
protocol is composed of 4 bases. For each state \ip x ) 
there exists an orthogonal state \(p x ) on the opposite side 
of the Bloch sphere. 

The symmetry group of this protocol is the same as of 
the BB84 protocol {D 4 ). Although ^ in theorem [5] is 
satisfied, the error rate of the cuboid protocol is given by 
Q = \ (36 + c + (b — c) cos(20)), which is different from 
the BB84 error definition. Moreover, we could not find a 



group H to satisfy the condition ( III ) . We performed nu- 



merical optimizations and found that the optimal attack 
of the cuboid protocol is not equal to the optimal attack 
on the BB84 protocol. It is also not the optimal doner. 

Note that for 9 = f , we recover the BB84 protocol. For 
9 = ~ the signal states span a cube, which we already 
discussed in section llXAl 



X. CONCLUSION 

In this paper we analyze the connection between the 
optimal attack on a QKD protocol and the optimal 
cloning attack, in which the eavesdropper uses an optimal 
doner to attack the protocol. We analyze protocols that 
have sufficient symmetries in the signal states and the 
post processing of the classical data, so that the optimal 
attack is, without loss of generality, a symmetric attack 
in the framework of the security proof of Refs. [U [5]. 

We compare the optimal symmetric attack to optimal 
covariant doners. It turns out that a necessary condition 
for the cloning transformation to be an optimal attack is 
the strong covariance condition, which guarantees that 
the optimal attack and the optimal doner are chosen 
from the same set. However, this condition is not suf- 
ficient to uniquely identify the optimal attack with the 
optimal doner, except in the case where only one state 
is found in the set from which the optimal attack and 
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the optimal doner are chosen. Protocols which use d + 1 
MUBs fall into this category. 

We analyze the optimal attack of protocols using 2, d 
and d + 1 MUBs in d-dimensional Hilbert spaces. Intu- 
itively, one expects that the optimal attack can always 
be identified with an optimal doner. We prove that this 
intuition is correct in the case of 2 and d + 1 MUBs, 
but for protocols using d MUBs, the connection between 
optimal attack and optimal doner fails. 

We show that two protocols using different signal states 
can be shown to give rise to the same optimal eavesdrop- 
ping attack. Whether this is the case can be investigated 
by simple analysis of the symmetries of the signal states, 
and we give examples related to the 6-state and the BB84 
protocol. 

During the preparation of this manuscript a related 
preprint [T3] has appeared, where the key rates of pro- 
tocols using 2 and d + 1 MUBs in d dimensions were 
calculated. In contrast to Ref. [13] . our emphasis lies 
on establishing the general connection between optimal 
cloning and optimal eavesdropping. 
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Appendix A: Post selection 

In many cases Alice and Bob share data at the end of 
the quantum phase of their protocol, that contains unus- 
able parts for the key generation. Typically they postse- 
lect on a set of useful data. The postselection which we 
describe here applies for example to basis sifting, or to 
the case where Alice and Bob discard data points because 
Bob did not receive a signal. 

Let us first examine the classical version of the posts- 
election protocol, which starts with the ccq state pxye- 
In the postselection described here, an announcement 
is made for each individual signal. After the quantum 
phase, Alice and Bob identify the weakly correlated data 
that they want to filter out by calculating to each mea- 
surement outcome x and y some values f{x) = v and 
f(y) = w, and announcing v and w publicly. Typically, 
the announcements v and w do not reveal any informa- 
tion about the key. Based on the announcements, Alice 
and Bob decide of they want to keep the data or dis- 
card it. For example, they can keep only those events 
where v = w = u. In particular, v and w often plays the 
role of a basis announcement where Alice and Bob only 



keep those events which they measured in the same ba- 
sis, namely where v = w = u, and discard the rest of the 
signals, where v ^ w. By identifying the values v and w, 
Alice and Bob effectively partition their original POVMs 
Ma and Mg into subsets = {A x : f(x) = v} and 
nig = {By : f(y) = w}, each containing the POVM ele- 
ments labeled by the value v or w of the announcement. 

The quantum version of the postselection procedure 
is described by the map £, which is composed of two 
consecutive steps: First, the announcement and filtering, 
which is jointly described by a quantum operation, and 
second, the measurement of the remaining states. 

The announcement and filtering is described by a 
quantum operation with Kraus operators K u ® L u on 
'Ha'&Hb- Since only events with w = v = u are kept, the 
Kraus operators come in paris K u <S> L u with the same in- 
dex u. The Kraus operators satisfy Y^ u Ku^u ® L^ U L U < 
1, and they are related to the POVM elements in and 
m B by the rule K u = J^~7A x and L u = B v 

The probability that the state pab is kept during the 
postselection is pkept- There is also a Kraus operator 
corresponding to the discarded events, which happens 
with probability 1 — Pkcpt- For each Kraus operator, the 
information u is announced to all parties and stored in 
three classical registers A, B and E held by Alice, Bob 
and Eve, respectively. The state after the quantum op- 
eration held by Alice, Bob and Eve, conditioned on kept 
events is given by 

^=$^p(u)|*u}<*u|<8 \u)(u\ Abe , (Al) 

u 

where \^ u ) = K u <g) L u ® 1 B y/p(u) is the pure state 
conditioned on the announcement u with normalization 
p(u), and p(u) = p{u) /pkept is the normalized probability 
distribution of the announcement u conditioned on events 
that were kept. 

The announcement and filtering step is followed by a 
measurement to extract the remaining data. Each \^ u ) is 
measured with respect to new (normalized) POVMs 
and Mg with elements conditioned on the announcement 
u: 

Ml = {Al} = {K-^AxK-V : A x e m^} (A2) 
Mb = {B u y } = {L-'ByL-/ : B y e m£} (A3) 

The inverses K~ x and L~ x are defined on the non-zero 
subspace of K u and L u only. Again, the new POVMs 
only come in paris with the same index u. 

The measurement of \^ u ) with respect to the new 
POVM M" = M A (g) M| is equivalent to the measure- 
ment of | "J) with respect to the original POVM, namely 
tr AB {Al ®B^® 1 B |* U )<#„|} = J ^- ) tr AB {A x ® B y ® 

IbI^) (^l}. The measurement transforms \^ u ) into a 
ccq state 

I *„)(*„ | -> Pxye = ^Vv.{x,y)\x,y){x,y\ <g> pf (A4) 

M" 
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withp u (x,y) = tr{A^B^l E \^ u )(^u\} = p{x,y)/p(u) 
and the conditional states p x E = tr ab{A x ® B y ® 
l\^){^\}/p{x,y). 

We choose to calculate the key rate from each ccq state 
Pxye independently, which leads to the effective key rate 



XYE)- 



(A5) 



Appendix B: Proof of the weak convexity of the 
classical mutual information 



In this appendix we prove theorem [T] in section |IV| 
Proof. The mutual information I(pab,~M-ab) de- 
pends only on the probability distribution p(x,y). 
For p~ab the mutual information is explicitly given 
by I{p AB MAB) = H(p(x)) - H(X\Y) p , where 
H(p(x)) — ~^2 x p{x)\ogp{x) is the Shannon entropy, 

and H(X\Y) p = £ B y p(x, y) log (^g) is the condi- 
tional entropy. The first term satisfies 



H(p(x)) = H(p{x)) = H(q(x)), 



(Bl) 



because p(x) = q(x) = p{x). The second term, the con- 
ditional entropy, is concave, namely 



H(X\Y) p < XH(X\Y) p + (1 - \)H(X\Y) 



(B2) 



where H(X\Y) p = -J2 x , y P( x ^y) lo s{j^yy) and sim- 
ilarly for H(X\Y) q . The concavity of the conditional 
entropy is shown by applying the log sum inequality |31j , 

(?°H&^?°' los (£> (B3) 



to H(X\Y)p. Equations (Bl) and (B2| together imply 
the weak convexity of the classical mutual information. 



Appendix C: Proof of the concavity of the Holevo 
quantity 

In this appendix we prove theorem [2] in section [TV] We 
will use the traditional notation 



X(X : E) 



p(x)S(pl 



to denote the Holevo quantity of the cq state pxe = 

T, x p( x )\ x )( x \®Pe- 

Proof. Given the states pab and o~ab with purifica- 
tions \^)abe' and |£)abe' on the system E = E' . Alice 
measures the states with respect to the POVM elements 
A x and stores the result in the system X. The cq states 



describing the situation for Alice and Eve after the mea- 
surement are 

I*) -> PXE' = J2p( x )\ x )( x \®Pe-, (CI) 

X 

\Zj) -> GXE' = Y,<l{ x )\ x ){ x \®°E>, (C2) 

X 

with Eve's conditional states p x E , = ttAB{A x ® 
l|tf)<tf|}/p(a;)andof, = tv A B{A x ®t\T){T,\}/q{x). The 
Holevo quantity of pxE' and o~xe' is given by 



X {pabMa))=x{X:E>) PxeI 
X (<tab,Ma)) = x(X :E') axE , 



(C3) 



We construct a particular purification on the joint sys- 
tem E = E'F for the convex sum Pab — Xpab + (1 — 
X)aAB- 



\*}abe>f = VA|*)|0) f + v / T^A|S}|l} F . 



(C4) 



After measuring \^)abe'f with respect to A x , the state 
shared by Alice and Eve is 



Pxe'f = ^2p(x)\x)(x\ <g> p x E , F 



(C5) 



with Eve's conditional states p%ip = tr ab{A x <E> 
1be>f\V)(*\}/P(x) a,ndp(x)=Xp(x) + {l-X)q{x). The 
Holevo quantity of px E' f is 

X {pabMa))=x(X:E'F) Pxe , f . 

Let A4 : F F' be a trace-preserving quantum oper- 
ation. For our purposes, we identify A4 with a measure- 
ment on F in the standard basis {|0), |1)} and write the 
outcome in a new register F'. By defining X x = ASct, 
the state after the measurement is given by 

PXE'F' = ^p(x)\x){x\®[X x p E ,®\0)(0\ F , (C6) 

X 

+{l-\ x )o- x E ,® \l)(l\ F <\. (C7) 

Let us state a lemma about the Holevo quantity ex- 
tracted from a state of the form px E' f 1 ■ 

Lemma 3 The Holevo quantity extracted from pxe'F' 
satisfies 

X (X : E'F') Pxe , fI > \ X (X : E') PxE , + (C8) 
{l-X) X {X:E') axEn 

with x(X : E') p , and x(A : E') a , given in equation 



C3). Equality holds, if the probabilities X x are indepen- 
dent of x, X x = X. 

Proof. From px e' f' we calculate the Holevo quantity us- 
ing the joint entropy theorem of the von Neuman entropy 
(321 



X (X : EF') = X X (X : E') PxE , + (1 - X) X (X : E% XE , 
+h(X) -J2p(x)HX x ), (C9) 
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with the binary entropy function h(x) = —x log(a;) — (1 — 
x)log(l-ir), and where \{ x ■ E ') PxE > and%(^ : E')<7 XE , 
are given in equation ( C3 ) . From the concavity of the 



Shannon entropy it follows that h(X)— ^2 p(x)h(X x ) > 0, 
and in particular, if A = A^ for all x, the equality holds. 



According to [32 : , a map of the form A4 : F 
only decrease the Holevo quantity: 



representation of G can be decomposed into a direct sum 
of irreducible representations. For example, the tensor 
product U^ ] * ® U^ v) is a reducible representation of G 
and can be decomposed into a (block diagonal) direct 
sum of irreducible representations LQv defined on the 
,<>) 



F' can spaces ~Wf carrying the irreducible representations p 



X (X : E'F) PxElp > X (X : E'F'[ 



PXE' F' 



(CIO) 



(El) 



fi i—l 



Equation (C8| together with equation (CIO), show that 
the desired result. ■ 



Appendix D: Proof of lemma [2] 

In this appendix we prove the G*-invariance of pa and 
A x for the source-replacement scheme in section [TTJ if 
p{x) is uniformly distributed and if the signal states are 
G-invariant. 

Proof. We trace out system S from the source state 
|$)y!is m equation ^ and identify Alice's reduced state 
PA by 



Each irreducible representation p occurs with integer 
multiplicity indicated by the index i. 



According to Schur's lemma, an operator t^'^ : 



h (p) ^ U W) that satisfies T $ V) U$ 



all g € G is either (i) the identity map from -> W?° 
if p = u, or (ii) equal to zero. Using Schur's lemma, every 
positive operator Pab that commutes with all the group 



elements of U, 



Ug is characterized by 



^=00 4fr„ 



0)^0) 

ij 



(E2) 



PA 



Ki\i)(i\ = p (x) | (fx) {(p x | . (Dl) where the are x matrices with positive eigen- 



values and t\^ } is the identity map between the 
subspaces with equal representation. After diagonaliz- 
ing , we can rewrite pab in a block-diagonal form on 
a new decomposition of the Hilbert space by 

^ = ®®\ W 1, M (E3) 

u i=l 

where 1-^ is the identity on the subspace K?f\ The 
block-diagonal form of Ug^* ® C/g^ is quasi "inherited" 
by Pab- 

Appendix F: Post selection on orthonormal bases 

In this appendix we calculate the filters K u and L u for 



From the G-invariance of the signal states and the uni- 
form distribution of p(x), it follows that pa is also G- 
invariant. Since pa is diagonal in the basis B with real 
eigenvalues Ki, it holds that 

Pa = Pa- 

Therefore, pa is also G*-invariance (where the complex 
conjugate is taken with respect to the Schmidt basis) as 
can be easily seen from U*paU^ = (U 9 paU£)* — pa- 

Due to the positivity of the coefficients Ki and the full 
rank of pa, the square root ^/pX and the inverse p~ A x are 
well-defined. The G- and G*-invariance of p^ 1 can be 
straightforwardly verified: U g p A = (UgPAU^)^ 1 = 
Pa j and similarly for the G*-invariance. 

In |17) . it is shown for permutation groups, that for 
every positive G-invariant operator pa, \fp~A is also G- 
invariant. The same proof applies also here, and thus, 
the G- and G*-invariance of pa also implies the G- and 
G*-invariance of y/p~A. 

By using the G-invariance of the signals states, and the 
G*-invariance of yfpA and p^ 1 , the G*-invariance of A x 
follows directly from the definition in equation (J3j) . 



Appendix E: Properties of symmetrized states 

The symmetrized states with the commutation prop- 
erty ( 36 ) can be characterized using Schur's lemma. Let 



the class of protocols described in section V D 



Given a protocol where the set of signal states Sc con- 
tains \C\ complete bases. Alice and Bob announce the 
basis of each signal, which partitions the POVMs 
and M.b into \£\ disjoint sets = {A(p t k) '■ = v } 
and = {B^^ : f3 — w}. They decide to keep 
only those events which were measured in the same ba- 
sis, e.g., those where they made the same announcement 
f(x) = f(y) — u. Each set is associate with the filters 



(Fl) 



the unitaries Ug^ denote the irreducible representation 
p of a group G on the Hilbert spaces "H M . Every reducible 



which are proportional to the identity for all u. 

Let Alice and Bob share a state pab with a purification 
\^). Due to the particular form of the filters, it follows 
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that = |*), and that the new POVMs and M| 
are only a rescaled version of the old ones 

M\ = {\C\A {m :l3 = u} (F2) 

M U B = {\C\ B {m : /? = u} (F3) 
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